Faced with regulatory penalties, an avalanche of due diligence questionnaires, and stringent contractual clauses, companies of all sizes have been impacted by GDPR. To date, most companies have tackled GDPR with sheer effort, investing billions of dollars toward compliance with little or no assurance their efforts have paid off. As a result, business leaders are left wondering “Are we compliant?” and “Are our business partners compliant?“
Absent an official GDPR certification, companies have scrapped by with a gamut of costly due diligence questionnaires, customer audits, and stringent data protection addendum (DPA’s) in an attempt to gain at least minimum comfort that their sub-processors or co-controllers are meeting the requirements spelled out by GDPR. These efforts have left a looming question for all affected companies: “When will there be a GDPR certification?”
The recent publication of ISO 27701 may be the answer we’ve been waiting for.
What is ISO 27701?
ISO 27701 is a privacy-specific extension to ISO 27001 that closely aligns to GDPR – in which companies may obtain official certification.
Structure of ISO 27701
ISO 27701 is nested within the ISO 27000 series and requires adherence to the ISO 27001 standard. As an information security framework, ISO 27001 is structured around the “Information Security Management System” (commonly referred to as the ISMS) which establishes a set of processes to govern, implement, operate, monitor, review and continuously improve the ISMS. In addition, ISO 27001 defines 114 controls in Annex A that companies typically implement as part of aligning to the framework.
ISO 27701 extends the requirements of ISO 27001 to take into account the protection of privacy of individuals whose PII is held by a company seeking certification. As ISO 27701 is an extension of the ISO 27001 standard, ISO 27701 certifications will not be issued on a stand-alone basis. A company obtaining a certification under ISO 27001 may include ISO 27701 within the scope of its certification if it implements the guidance under ISO 27701.
Clause 5, the requirements of ISO 27001 Clauses 4-10 are addressed. Within each ISO 27001 clause, ISO 27701 may provide additional privacy-specific guidance or simply affirm the requirements of ISO 27001.
Clause 6 of ISO 27701 begins the privacy-oriented interpretation of ISO 27002, the implementation guidance for ISO 27001. Each ISO 27001 Annex A control is presented and either adopted with no change, or modified with privacy-specific guidance. With the exception of A.17 (Business Continuity), one or more controls within each section of Annex A have privacy-specific implementation guidance.
Clause 7 of ISO 27701 provides additional controls relevant to PII controllers. For each Clause 7 control, implementation guidance is also provided.
Clause 8 of ISO 27701 contains additional controls relevant to PII processors. As with Clause 7, implementation guidance is also provided for each control.
Annex D provides an illustrative mapping of ISO 27701 clauses to GDPR Articles. The authors of ISO 27701 suggest that ISO 27701 addresses GDPR Articles 5-49, with the exception of Article 43 (Certification bodies). Risk3sixty’s interpretation will be published in a whitepaper next week and in a series of blog posts to follow.
Annex F contains informal practical guidance on applying ISO 27701.
Obtaining ISO 27701 Certification
As we mentioned, ISO 27701 extends the requirements of ISO 27001 to take into account the protection of privacy of individuals whose PII is held by a company seeking certification. As ISO 27701 is an extension of the ISO 27001 standard, ISO 27701 certifications will not be issued on a stand-alone basis. A company must seek to obtain a certification under ISO 27001 and will then include ISO 27701 within the scope of its certification.
The passage of ISO 27701 is highly significant for companies currently facing compliance requirements under ISO 27001, GDPR, or both. ISO 27701 can represent an opportunity to streamline compliance obligations by integrating privacy into your organization’s ISMS and it an excellent way to articulate your security and privacy posture to current and future customers.
If you are considering implementing a plan to address security, privacy, and compliance, we can help. Risk3sixty has extensive experience implementing both ISO 27001 and GDPR programs. In fact, our clients have 100% certification success rate!
You can reach out to one of our team members.